[PATCH 1/1] 802.1X: validate input before pointer
Jouni Malinen
j at w1.fi
Mon Sep 25 13:38:13 PDT 2017
On Fri, Aug 18, 2017 at 01:14:28AM +0200, Michael Braun wrote:
> ieee802_1x_kay_decode_mkpdu calls ieee802_1x_mka_i_in_peerlist before
> body_len has been checked on all segments.
>
> ieee802_1x_kay_decode_mkpdu and ieee802_1x_mka_i_in_peerlist might
> continue and thus underflow left_len even if it finds left_len to small
> (or before checking).
>
> Additionally, ieee802_1x_mka_dump_peer_body might perform out of bound
> reads in this case.
>
> Fix this by checking left_len and aborting if too small early.
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list